SloppyLemming Targets Pakistan and Bangladesh Governments Using Dual Malware Chains
SloppyLemming Targets Pakistan and Bangladesh Governments Using Dual Malware Chains
https://thehackernews.com/2026/03/sloppylemming-targets-pakistan-and.html
Publish Date: 2026-03-03 01:53:00
Source Domain: thehackernews.com
The threat activity cluster known as SloppyLemming has been attributed to a fresh set of attacks targeting government entities and critical infrastructure operators in Pakistan and Bangladesh.
The activity, per Arctic Wolf, took place between January 2025 and January 2026. It involves the use of two distinct attack chains to deliver malware families tracked as BurrowShell and a Rust-based keylogger.
“The use of the Rust programming language represents a notable evolution in SloppyLemming’s tooling, as prior reporting documented the actor using only traditional compiled languages and borrowed adversary simulation frameworks such as Cobalt Strike, Havoc, and the custom NekroWire RAT,” the cybersecurity company said in a report shared with The Hacker News.
SloppyLemming is the moniker assigned to a threat actor that’s known to target government, law enforcement, energy, telecommunications, and technology entities in Pakistan, Sri Lanka, Bangladesh, and China since at least 2022. It’s also tracked under the names Outrider Tiger and Fishing Elephant.
Prior campaigns mounted by the hacking crew have leveraged malware families like Ares RAT and WarHawk, which are often attributed to SideCopy and SideWinder, respectively.
ArcticWolf’s analysis of the latest attacks has uncovered the use of spear-phishing emails to deliver PDF lures and macro-enabled Excel documents to kick-start the infection chains. It described the threat actor as operating with moderate capability.
The PDF decoys contain URLs designed to lead victims to ClickOnce application manifests, which then deploy a legitimate Microsoft .NET runtime executable (“NGenTask.exe”) and a malicious loader (“mscorsvc.dll”). The loader is launched using DLL side-loading to decrypt and execute a custom x64 shellcode implant codenamed BurrowShell.
“BurrowShell is a full-featured backdoor providing the threat actor with file system manipulation, screenshot…
